Driver’s Privacy Protection Act Making a Comeback in Claims Involving Personal Information
Posted: May 15, 2012
In 1994, before the advent of smartphones, 4G, and other technology advances that have become ubiquitous, the U.S. Congress passed the Driver’s Privacy Protection Act (“DPPA”). The statute protects drivers from having information from their motor vehicle record disclosed without a legitimate, enumerated purpose. The reason lawmakers enacted the DPPA was not to protect against identity theft, as we might suspect in today’s context, but to prevent stalkers and harassers from exploiting the local department of motor vehicles to locate their victims.
Although the DPPA is pretty straightforward and fairly limited in its application, it is used more often than one might expect. For instance, it has been asserted in class action lawsuits, such as suits by consumers against retailers that collect the driver’s license number of anyone seeking to return merchandise. It has also been used as the basis for a challenge to Kyleigh’s law, a New Jersey statute that forces drivers holding permits or provisional licenses to purchase and display a $4 pair of decals on the front and rear license plates of their cars. And consumers have even used it as a basis for claims that entering DOB data into a liquor store cash register when checking IDs in connection with alcohol sales violates the DPPA.
So we thought we’d ask and answer the question – what exactly does the DPPA prohibit, and what does it not prohibit?
The first part of the statute, 18 U.S.C. Section 2721, says that a state DMV or state officer may not “knowingly disclose or otherwise make available…personal information…about any individual obtained by the department in connection with a motor vehicle record.” The second part of the statute, Section 2722, is seemingly broader, and makes it “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” But, section 2721(b) includes a broad permission “[f]or use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only — to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors.” So, checking a driver’s license for DOB data or verifying an address when taking a check are permissible uses. As to whether the information can be saved, photocopied, or electronically archived, it depends on whether the business can justify this practice as part of the verification process.
Even though the statute grants this broad permitted use for legitimate business purposes, it makes sense for retailers to be aware of the DPPA and to check periodically to make sure that practices at the point of sale haven’t drifted too far afield of the “checking for accuracy” purpose. The statute provides for a civil remedy for its violation of not less than $2,500 per consumer. So, as plaintiffs continue to bring class action lawsuits that challenge the collection and storage of all kinds of data, there is strong incentive to continue to trot out the DPPA. No rest for the weary.
For more information, please contact Mary Jane Yoon.